Cisco has released multiple advisories and patches for vulnerabilities for in its product portfolios
FMC
The first vulnerability tracked as CVE-2024-20424 and assigned a CVSS score of 9.9, is a command injection vulnerability in its Secure Firewall Management Center (FMC) Software that could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges.
This vulnerability is rooted in insufficient input validation of certain HTTP requests within the web-based management interface of Cisco FMC. If successfully exploited, an authenticated, remote attacker could execute arbitrary commands with root-level permissions on the underlying operating system of the Cisco FMC device, or on any managed Cisco Firepower Threat Defense (FTD) devices.
This vulnerability affects all versions of Cisco FMC Software, regardless of device configuration and there are no workarounds that can mitigate this vulnerability. Cisco has made it clear in their advisory that patching is the only way to fully protect against this exploit.
FTD
The second critical vulnerability, tracked as CVE-2024-20412 with a CVSS score of 9.3 found in Cisco’s Firepower 1000, 2100, 3100, and 4200 Series devices. This vulnerability allows unauthenticated, local attackers to exploit static credentials embedded in the system, potentially leading to unauthorized access and configuration changes.
The flaw stems with the presence of static accounts with hard-coded passwords within the affected Cisco Firepower systems which enable an attacker with local access to bypass authentication measures and log into the device’s command-line interface (CLI) using static credentials. Once authenticated, the attacker can execute limited commands, retrieve sensitive information, or even cause the device to become unbootable by modifying certain configuration options.
The vulnerability impacts Cisco Firepower devices running FTD Software Release 7.1 through 7.4, with a vulnerability database (VDB) release of 387 or earlier. The affected models include:
- Firepower 1000 Series
- Firepower 2100 Series
- Firepower 3100 Series
- Firepower 4200 Series
Administrators can determine whether their devices are exposed by checking for the presence of static accounts using the show local-user command. The output will reveal the presence of accounts like csm_processes, report, sftop10user, Sourcefire, and SRU, which signal the device’s vulnerability.
Cisco has released software updates to address CVE-2024-20412 and strongly advises users to upgrade their FTD software to a fixed release. In cases where immediate patching is not possible, Cisco has provided a workaround to reduce the risk. This workaround involves restricting local access and managing SSH configurations.
ASA
The third vulnerability tracked as CVE-2024-20329 and assigned a CVSS score of 9.9, found in the SSH subsystem of its Adaptive Security Appliance (ASA) Software. It could allow an authenticated, remote attacker to execute commands with root privileges, effectively taking complete control of the affected system.
The vulnerability stems from “insufficient validation of user input,”. An attacker could exploit this flaw by “submitting crafted input when executing remote CLI commands over SSH.” This means that even users with limited privileges could potentially escalate their access and gain full control.
To determine if your device is at risk, Cisco recommends using the following command:
show running-config | include ssh
If the output includes the line “ssh stack ciscossh,” your device may be vulnerable.
Cisco has released software updates to address this vulnerability and urges users to upgrade to a fixed release as soon as possible. As a workaround, Cisco suggests enabling the native SSH stack by disabling the CiscoSSH stack using the following command:
no ssh stack ciscossh
At the time of the advisories, Cisco PSIRT was not aware of any public announcements or malicious use of for any of the vulnerabilities
